Skip to content

Commit 8ca7b56

Browse files
cailmdaleyclaude
andcommitted
chore: SHA-pin all GitHub Actions across workflows
Mutable action references (@v4, @V3, …) are the same failure mode that took out tj-actions/changed-files (23k+ repos compromised in Q1 2026) and trivy-action. An attacker who compromises an action's maintainer account can silently re-point a tag at a malicious SHA, and every workflow that references that tag pulls the new code on the next run. Pinning each action by full commit SHA — with the human-readable tag preserved as a trailing comment — closes that vector. Dependabot's github-actions ecosystem (enabled in the companion commit) proposes SHA bumps with the new tag annotated in the PR body, so updates remain reviewable. All four workflows pinned; SHAs resolved against current refs as of this commit, no behavioral change intended. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 5ee1997 commit 8ca7b56

4 files changed

Lines changed: 17 additions & 17 deletions

File tree

.github/workflows/cd.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,10 @@ jobs:
1313
runs-on: ubuntu-latest
1414

1515
steps:
16-
- uses: actions/checkout@v2
16+
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
1717

1818
- name: Set up conda
19-
uses: conda-incubator/setup-miniconda@v2
19+
uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2.3.0
2020
with:
2121
auto-update-conda: true
2222
python-version: 3.9
@@ -38,7 +38,7 @@ jobs:
3838
sphinx-build -E docs/source docs/_build
3939
4040
- name: Deploy API documentation
41-
uses: peaceiris/actions-gh-pages@v3.5.9
41+
uses: peaceiris/actions-gh-pages@cf301857435c1f95963b21d58f452a7617770d60 # v3.5.9
4242
with:
4343
github_token: ${{ secrets.GITHUB_TOKEN }}
4444
publish_dir: docs/_build

.github/workflows/ci-release.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
python-version: [3.11]
2020

2121
steps:
22-
- uses: actions/checkout@v4
22+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
2323

2424
- name: Install Linux dependencies
2525
if: runner.os == 'Linux'
@@ -35,7 +35,7 @@ jobs:
3535
brew reinstall gcc
3636
3737
- name: Set up conda
38-
uses: conda-incubator/setup-miniconda@v3
38+
uses: conda-incubator/setup-miniconda@fc2d68f6413eb2d87b895e92f8584b5b94a10167 # v3.3.0
3939
with:
4040
auto-update-conda: true
4141
python-version: ${{ matrix.python-version }}

.github/workflows/deploy-image.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -11,39 +11,39 @@ jobs:
1111
packages: write
1212
steps:
1313
- name: Checkout repository
14-
uses: actions/checkout@v4
14+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1515

1616
- name: Log in to the Container registry
17-
uses: docker/login-action@v3
17+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
1818
with:
1919
registry: ${{ env.REGISTRY }}
2020
username: ${{ github.actor }}
2121
password: ${{ secrets.GITHUB_TOKEN }}
2222

2323
- name: Set up Docker Buildx
24-
uses: docker/setup-buildx-action@v3
24+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
2525
with:
2626
driver-opts: network=host
2727

2828
# Two parallel tag sets. `dev` is the default (no suffix, e.g. `:latest`,
2929
# `:develop`); `runtime` carries a `-runtime` suffix.
3030
- name: Tags — dev (default)
3131
id: meta-dev
32-
uses: docker/metadata-action@v5
32+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
3333
with:
3434
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
3535

3636
- name: Tags — runtime
3737
id: meta-runtime
38-
uses: docker/metadata-action@v5
38+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
3939
with:
4040
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
4141
flavor: |
4242
suffix=-runtime,onlatest=true
4343
4444
# Build runtime first (smaller, used to smoke-test pipeline binaries)
4545
- name: Build runtime (load)
46-
uses: docker/build-push-action@v6
46+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
4747
with:
4848
context: .
4949
target: runtime
@@ -70,7 +70,7 @@ jobs:
7070
7171
# Build dev (reuses cached `base` layer)
7272
- name: Build dev (load)
73-
uses: docker/build-push-action@v6
73+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
7474
with:
7575
context: .
7676
target: dev
@@ -90,7 +90,7 @@ jobs:
9090
9191
# Push both targets
9292
- name: Push runtime
93-
uses: docker/build-push-action@v6
93+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
9494
with:
9595
context: .
9696
target: runtime
@@ -100,7 +100,7 @@ jobs:
100100
cache-from: type=gha
101101

102102
- name: Push dev
103-
uses: docker/build-push-action@v6
103+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
104104
with:
105105
context: .
106106
target: dev

.github/workflows/doc-tests.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,10 @@ jobs:
88
runs-on: ubuntu-latest
99

1010
steps:
11-
- uses: actions/checkout@v2
11+
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
1212

1313
- name: Set up conda
14-
uses: conda-incubator/setup-miniconda@v2
14+
uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2.3.0
1515
with:
1616
auto-update-conda: true
1717
python-version: 3.8
@@ -33,7 +33,7 @@ jobs:
3333
sphinx-build -E docs/source docs/_build
3434
3535
- name: Archive API build
36-
uses: actions/upload-artifact@v2
36+
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
3737
with:
3838
name: api-docs
3939
retention-days: 14

0 commit comments

Comments
 (0)